Is your security focus blurred?
On 30th January Hacked published an article entitled: An Airgap Won’t Secure Your Computer Any More. Researchers harvested keystrokes by interpreting electromagnetic emissions. Suggested mitigation…stick your PC in a Faraday cage.
I’m trying hard not to sound facetious and I don’t want to undermine the work that went into that research, but of course an airgapped machine can be compromised….
You (or the insider you coerced) walk up to it, stick a BadUSB stick in it, plant a camera to record the admin password, use the password you’ve socially engineered out of someone, pour coffee in it, hit it with a stick, or pick the bloody thing up and walk off with it!
Why am I a tad ticked off? Because there’s an avalanche of content about obscure vulnerabilities, bleeding edge hacking techniques and pricey “hack-proof” solutions. Then there’s the APTs and new vulnerabilities in the IoT (anyone need info on how brown I like my toast?), hundreds of them, every day (if the media is to be believed) . A fantastic distraction from daily threats walking in through your front door.
As one very smart chap of my acquaintance said:
“There’s no point spending a fortune on security toys if someone can just waltz in and nick stuff”
Many folk are still rightly focused on access control and plenty of monitoring tools suggest they can mitigate your insider risk (using algorithms to assess staff comms and clicks may yet yield results if tuned right and deemed acceptable). But at the same time, security awareness is still mainly amateur, there’s little discussion of physical security and no-one in security seems to be talking about staff screening. Controls of equal importance to the latest anti-APT tech marvel.
Not forgetting that the vast majority of inconsistently Advanced, debatably Persistent and variably serious Threats need human interaction to succeed. A new unaccompanied cleaner, a click here, a download there, information let slip everywhere. But don’t take my word for that: Ed Wallace (Director of incident response and advanced threats at MWR InfoSecurity) in SC Magazine:
‘90 percent’ of countries simply rely on email phishing, with the minority having more advanced capabilities for water holing attacks and data exfiltration. Other experts say social engineering is – along with software vulnerabilities and poorly-configured security – the best entry into an organisation.
Insider and physical security risk in the news
- On 29th January the BBC reported that Her Majesty’s Government had lost discs with dangerously sensitive details of 3 contentious murder cases. Lives are likely to be at risk if that data can be extracted.
- The average Londoner carries 461GB of data with them (according to Mozy research by EMC), 34% of people admitted to losing a device containing data in the last 12 months and Transport for London had 15,000 mobile phones, 506 tablets and 528 laptops left on buses and trains in 2013
- In Vortmetric’s 2015 Insider Threat Report, only 11% of the 800 odd professionals questioned felt they were not vulnerable to insider threats, with 55% of global respondents claiming privileged users remain one of the biggest threats to their organisation.
- Of 1,000 staff surveyed by SailPoint, 1 in 7 would sell their passwords for as little as £100 and 20% share passwords with colleagues (for more from the survey click on the graphic, or follow this link)
- The Sony hack was convincingly reported as being enabled by insider collusion (it’s highly unlikely data extracted could have been so efficiently targeted without it)
- Snowden – whether you think he’s a hero or villain, effective staff screening may have picked up his likelihood to breach security. The US Government certainly thinks so. They’re in the process of suing the company who vetted him (a sobering thought for HR?)
What you don’t get to hear about
These examples are the stuff we get to hear about. A mountain of low grade crime is perpetrated using approved system access. Extracting funds, saleable data or identities.
In the near future one of your trusted staff will get overheard saying something they shouldn’t, get shoulder surfed on public transport, or spill the corporate beans to someone who massages their ego on the phone or in person. Every day another few hundred mobile devices will go missing. Devices that are increasingly used (with or without official permission) for business communications.
A significant portion of that may never be discovered, properly investigated to pin down root cause, or added to any statistics. The statistics we use to estimate risks and prioritise mitigation.
Security awareness – because you’re worth it
Reams have been written on security awareness
- FOR: The 2014 PWC Cybercrime Survey and this Aberdeen University research says training saves money and reduces incident frequency and/or financial impact.
- AGAINST: In 2013 Bruce Schneier controversially argued we shouldn’t bother training end users because it’s a waste of time. Instead we should mitigate our people risk with better tools and better configured systems. A drum previously banged, in a slightly different way, by Dave Aitel in this CSO Online article
Reality falls between those two camps. Most education is woefully inadequate. Little of it uses psychological tools that cyber criminals have mastered. If in doubt about effectiveness of social engineering tactics; Richard De Vere (social engineering expert and advanced people/system pentester) has an 80% success rate getting confidential data out of his spear phishing targets. This isn’t “We’re your bank HONEST, just click here and type in your password”, this is extremely sophisticated manipulation. Tailored for individual recipients.
A shift to social anomaly detection?
One suggestion to make a difference: Do what we’re increasingly doing with perimeter and endpoint defense. Move away from formulaic approaches based on known attacks. Instead focus training on how to spot anomalies. How to recognise human, computer and telephone interactions that are not ‘right’, but most argue the devil is in the suspicious activity definition detail and the very variable intelligence of the artificial solutions. False negatives often make them less effective than loyal and vigilent peers.
Do you need a Security Communications Manager?
In a Security Culture Show webcast with Kai Roer and Mo Amin, we agreed that change often starts with an evangelist (that discussion starts at about minute 16). I suggest a replacement for the typical security awareness lead. Proposed title: Security Communications Manager. Responsible for improving the tone, presentation and content off all key exchanges between security and the business. Forging close relationships with marketing and other comms specialists to leverage their expertise. Moving away from an exclusive focus on end users, to well framed messages tailored for each distinct stakeholder group. Bringing their view of business objectives and risks back into IT and security and, crucially, framing the InfoSec picture coming out of IT and security operations in a way that gets attention, contextualises and shouts about added value.
Physical security – not sexy, but serious
Maybe revisit the links at the top, think about other recent high profile incidents, then consider how many related controls fall under the remit of physical security.
Travel security, physical device security, secure disposal of documents, devices and media, secure transit for documents, devices and media, physical incident response, preventing unauthorised access to buildings and internal secure areas and tracking authorised access. All critical to safeguard people, kit and data.
Physical security is not sexy and is based on pretty well defined principles, but it does take an expert to apply economically and effectively. For anyone needing a refresher, the CPNI is a good source of guidance. Alternatively seek out your in-house expert. You’ll make their day.
Staff screening & ongoing monitoring
Staff screening has been paid little or no attention in security circles of late. Perhaps because it’s mainly the domain of HR. An area traditionally protective of it’s remit.
A forensic psychologist’s perspective on screening staff
Here’s an insightful comment from Jonathan Dudek (Principal at the HUMINT Group International and ex-FBI Dr of Forensic Psychology). He was responding on LinkedIn to the Vortmetric survey already quoted:
“…companies need to invest more effort (and funds) to fully screen those individuals in critical positions.
Law enforcement agencies conduct pre-employment screenings (including a full background investigation, polygraph, medical, psychological assessment, etc.) on candidates to ascertain their suitability to perform armed police service. Of course, any corporate due diligence and screening must comply with employment laws, but the concept, in my humble opinion, is the same.
Police agencies screen their candidates who may someday possess the means to use deadly force. Similarly, those with access to critical data/infrastructure (witness Snowden) may be destructive. In the case of police agencies and municipalities, poor candidate screening (negligent hiring) may result in significant liability risk down the road (e.g., inappropriate use of force or conduct), potentially costing millions of dollars civilly. Lawsuits would also follow a data breach. Yes, it might cost companies more at the outset, but, as the adage says, “An ounce of prevention….””
Unsecured employee satisfaction?
As a counterpoint to all that, how are you treating people? Access creeps when you have too few staff to segregate roles and you open the door to manipulation by malicious inside or outsiders when the pressure is inhumanely high.
Beyond screening there are the annual staff satisfaction surveys. Are those working?
Jenny Radcliffe (One of the UK’s leading people hacking, social engineering and negotiations experts) says all staff are susceptible to manipulation to one extent or another. Key psychological hooks used:
- Time and
One factor multiplies the effectiveness of all others:
Time for a long overdue chat with HR? So while cyberterrorism is terrifying, APTs are appalling and the IoT is as holey as heck, many less sexy risks can go under the radar.
Maybe bear that in mind when the next vendor begs an hour to show off their shiny new tool. Perhaps forego that pleasure to spend time thinking about physical security, how your staff might be failing you and how you might be failing your staff.